Actions Authorizations
|
Since 4.8
This functionality is available since version 4.8.
|
Actions are generally considered "safe", as their execution involves checking appropriate authorizations.
For example, if one executes add action, the #add authorization relevant to object(s) being added is required.
However, to add another layer of security - for example, to prevent denial of service attacks - the mere execution of a action requires a special authorization.
Before midPoint 4.8, it was named http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#executeScript.
Unfortunately, the name was confusing.
It sounds like the authorization would allow to run Groovy (or Velocity, Python, JavaScript, and similar) scripts, which is not true.
(Because of their power, to run these scripts from actions before 4.8, the #all authorization was required.)
Since 4.8, the #executeScript authorization is replaced by http://midpoint.evolveum.com/xml/ns/public/security/authorization-bulk-3#all.
Furthermore, it is now possible to allow or deny execution of individual actions using authorizations.
For example, if only http://midpoint.evolveum.com/xml/ns/public/security/authorization-bulk-3#assign is granted, then only assign action can be invoked.
See Actions.
The primary names of actions should be used: e.g., generate-value (not generateValue).